Hello Torsten, Besides Sean reply before (which is good!), maybe the issue is also related to the application server your app is using. I'm still on Java5, but I use the Metro WS Stack, and it includes XmlSec as well, so I faced a similar problem (although related to classpath library order).
In Tomcat, there is also a endorsed folder, and I had to include the xmlsec and CL libraries there as well. Maybe there is a similar mechanism in your app server. Sean, what is the right way to have these enhancement in Metro as well? post an issue there? Gerardo On Tue, Sep 8, 2009 at 9:28 AM, <torsten.reinh...@gi-de.com> wrote: > > Hi Sean and all others, > > JDK6u16 is out now since a while, but I still get > > *java.lang.RuntimeException*: *javax.xml.crypto.MarshalException*: > unsupported signature algorithm: > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 > > => Are the stronger algorithms SHA256-RSA re-targeted to another Update of > JDK6 ? > > Please let me know, if there is any solution in sight, or any other > workaround, > since I can´t use the endorsed mechanism due to a lot of side-effects for > others..... > > thanx, Torsten > > > > *Sean Mullan <sean.mul...@sun.com>* > Gesendet von: sean.mul...@sun.com > > 27.05.2009 20:37 > Bitte antworten an > security-dev@xml.apache.org > > An > security-dev@xml.apache.org Kopie > Thema > Re: JDK6 and xmlsec-1.4.2 issue (unsupported signature algorithm) > > > > > torsten.reinh...@gi-de.com wrote: > > > > Hi, > > > > I migrated my application from JDK5 (with external xmlsec-1.4.2.jar) to > > JDK6 (where xmlsec is included now). > > > > After that I got > > javax.xml.crypto.MarshalException: unsupported signature algorithm: > > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 > > at > > > org.jcp.xml.dsig.internal.dom.DOMSignatureMethod.unmarshal(DOMSignatureMethod.java:86) > > at > > > org.jcp.xml.dsig.internal.dom.DOMSignedInfo.<init>(DOMSignedInfo.java:122) > > at > > > org.jcp.xml.dsig.internal.dom.DOMXMLSignature.<init>(DOMXMLSignature.java:119) > > at > > > org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshal(DOMXMLSignatureFactory.java:152) > > at > > > org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshalXMLSignature(DOMXMLSignatureFactory.java:116) > > > > so I tried the lib\endorsed workaround, and put xmlsec-1.4.2 and > > commons-logging into that folder. > > That worked fine for me - but not for my collegues. > > > > They than run into "NoClassDefFoundError" from different points - one > > were missing the Log4J Logger class implementation (could be resolved by > > putting log4j.jar to lib\endorsed), the others had trouble with WSS4J > > and so on. > > > > I wouldn´t like to put all our libraries in the lib\endorsed folder - is > > there another way to use xmlsec-1.4.2 in JDK6.0 ? > > > Is there a plan to include xmlsec-1.4.2 in one of the next JDK patches > > (>=1.6.0_14) ? > > We don't have plans to integrate the entire xmlsec-1.4.2 in Sun's JDK 6. > XMLSec 1.4.2 is already in JDK 7 (via OpenJDK: > https://jdk7.dev.java.net/). However, I have just opened an RFE to add > support for the stronger SHA256-RSA and SHA512-RSA algorithms and > targeted it to JDK 6u16. In the meantime the only workaround I know is > to use the endorsed libraries mechanism. > > --Sean > >
